Cybersecurity Incident Response Plan (Hong Kong)
CYBERSECURITY INCIDENT RESPONSE PLAN
[Organisation Name]
Effective Date: [Effective Date]
Incident Response Lead: [Incident Lead Name]
Contact: [Incident Lead Contact]
1. PURPOSE AND SCOPE
1.1 This Cybersecurity Incident Response Plan (“Plan”) establishes the procedures for detecting, responding to, containing, and recovering from cybersecurity incidents affecting [Organisation Name] (“the Organisation”).
1.2 This Plan ensures compliance with DPP 4 (Security) of the Personal Data (Privacy) Ordinance (Cap. 486) and the PCPD’s guidance on data breach handling.
2. INCIDENT RESPONSE TEAM
2.1 The Incident Response Team comprises: [Response Team Members]
2.2 External contacts: [External Contacts]
3. INCIDENT CLASSIFICATION
3.1 Incidents are classified by severity: [Severity Levels]
3.2 All employees must report suspected cybersecurity incidents [Reporting Timeframe] to the Incident Response Lead or IT Security team.
4. INCIDENT RESPONSE PROCEDURES
4.1 Detection and Reporting: Upon detecting or receiving a report of a suspected incident, the IT Security team shall perform an initial triage to determine severity and activate the response team as appropriate.
4.2 Containment: Immediately isolate affected systems to prevent further compromise. Preserve forensic evidence by imaging affected systems before remediation. Disable compromised accounts and block malicious network traffic.
4.3 Investigation: Conduct a thorough investigation to determine the cause, scope, and impact of the incident. Engage external forensic specialists if required. Document all findings and maintain a chain of custody for evidence.
5. NOTIFICATION
5.1 PCPD notification: [PCPD Notification]. Where a data breach involving personal data is confirmed and poses a real risk of harm to affected individuals, the Organisation shall notify the PCPD using the Data Breach Notification Form.
5.2 Notification timeframe: [Notification Timeframe].
5.3 Affected individuals shall be notified as soon as practicable, providing: a description of the incident; what personal data was affected; what the individual can do to protect themselves; and the Organisation’s contact details for further information.
5.4 Law enforcement notification: [Law Enforcement Threshold]
6. RECOVERY
6.1 Recovery procedures: [Recovery Procedures]
6.2 Systems shall not be returned to production until verified clean by the IT Security team.
7. POST-INCIDENT REVIEW
7.1 Within 14 days of incident closure, the Incident Response Lead shall conduct a post-incident review to identify root cause, lessons learned, and required improvements to security controls and this Plan.
7.2 A written post-incident report shall be prepared and shared with senior management.
8. TESTING AND MAINTENANCE
8.1 This Plan shall be tested: [Testing Frequency]. Testing shall include tabletop exercises and simulated incident scenarios.
8.2 This Plan shall be reviewed and updated at least annually or following any significant incident.
9. GOVERNING LAW
9.1 This Plan is governed by the laws of the Hong Kong Special Administrative Region of the People’s Republic of China.
APPROVAL
This Cybersecurity Incident Response Plan has been reviewed and approved by the undersigned.
Incident Response Lead / CISO
________________
Signature
Chief Executive Officer
________________
Signature
What Is a Cybersecurity Incident Response Plan (Hong Kong)?
A Cybersecurity Incident Response Plan in Hong Kong sets out a structured account of the matters it is intended to track.
Data Protection Principle 4 (DPP4) of Schedule 1 to the Personal Data (Privacy) Ordinance (Cap. 486) requires every data user — any organisation that controls the collection, holding, processing, or use of personal data — to take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. The Office of the Privacy Commissioner for Personal Data (PCPD) has published guidance stating that a documented data breach response procedure is a key element of DPP4 compliance. Organisations that lack a plan when a breach occurs may be found in breach of DPP4 in any subsequent PCPD investigation.
For financial institutions regulated by the Hong Kong Monetary Authority (HKMA), the Supervisory Policy Manual (SPM) module TM-E-1 (Management of Cybersecurity Risks) requires authorised institutions to establish a cybersecurity incident management framework covering incident identification, response, recovery, and reporting. The HKMA’s Cybersecurity Fortification Initiative (CFI) provides a structured programme for enhancing cyber resilience. For corporations licensed by the Securities and Futures Commission (SFC), the SFC’s Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading require licensed persons to have documented incident response procedures.
The Crimes Ordinance (Cap. 200) criminalises unauthorised access to computer programs and data under sections 27A and 161. When an organisation is a victim of a cyber attack — ransomware, hacking, or data exfiltration — the incident response plan supports evidence preservation for referral to the Hong Kong Police Force’s Cyber Security and Technology Crime Bureau (CSTCB), which investigates cybercrime and liaises with the Police Technology Crime Division.
Hong Kong does not currently have mandatory data breach notification under the PDPO as of 2026 — proposed amendments to introduce mandatory notification remain pending. However, the PCPD’s Guidance on Data Breach Handling strongly encourages voluntary notification to the PCPD and affected individuals when a breach poses real risk of harm. An incident response plan that includes notification decision procedures positions the organisation to act quickly and demonstrate responsible data governance. Section 26 of the Personal Data (Privacy) Ordinance (Cap. 486) empowers the PCPD to issue enforcement notices requiring data users to remedy DPP4 contraventions identified after a cybersecurity incident. Section 161 of the Crimes Ordinance (Cap. 200) criminalises access to a computer with dishonest intent, and Section 27A prohibits unauthorised access to a computer — both sections are directly relevant when an organisation is the victim of hacking and decides whether to report the attack to the Hong Kong Police Force Cyber Security and Technology Crime Bureau (CSTCB). Forms-legal.com provides this Cybersecurity Incident Response Plan template aligned with PDPO DPP4, HKMA TM-E-1, SFC hacking guidelines, and PCPD data breach guidance for organisations across the Hong Kong Special Administrative Region.
When Do You Need a Cybersecurity Incident Response Plan (Hong Kong)?
A Cybersecurity Incident Response Plan in Hong Kong is required before any cyber incident occurs — organisations that develop their response procedures after an attack are invariably slower, less effective, and more exposed to regulatory and reputational consequences than those with pre-established plans.
Every organisation that processes personal data of Hong Kong individuals needs a plan to comply with DPP4 of the Personal Data (Privacy) Ordinance (Cap. 486). The PCPD’s published enforcement decisions consistently cite the absence of documented incident response procedures as an aggravating factor in breach investigations. Organisations investigated by the PCPD after a data breach who lack written response plans face higher risk of enforcement notices being issued under Cap. 486.
Authorised institutions regulated by the Hong Kong Monetary Authority (HKMA) — licensed banks, restricted licence banks, and deposit-taking companies — must comply with SPM module TM-E-1, which explicitly requires a cybersecurity incident management framework. HKMA-regulated institutions must report material cybersecurity incidents to the HKMA within specified timeframes, and the incident response plan establishes the internal escalation and reporting procedures that make timely HKMA notification possible.
Corporations licensed by the Securities and Futures Commission (SFC) — including licensed intermediaries, asset managers, and digital asset platforms — must comply with SFC circulars on cybersecurity risk management. The SFC has issued regulatory actions against licensed corporations that suffered cyber incidents without adequate incident response capabilities.
Healthcare organisations — Hospital Authority hospitals, private hospitals, clinics, and diagnostic laboratories — process highly sensitive patient health data. A cybersecurity incident affecting patient records creates both a PDPO DPP4 compliance issue and potential liability under the Hospital Authority Ordinance (Cap. 113) and the Medical Registration Ordinance (Cap. 161). An incident response plan specific to healthcare IT environments is essential.
Organisations that are part of critical infrastructure — telecommunications providers licensed under the Telecommunications Ordinance (Cap. 106), utilities, and transportation operators — may be subject to sector-specific cybersecurity requirements from the Office of the Government Chief Information Officer (OGCIO) and should have incident response plans aligned with Hong Kong’s Critical Infrastructure Protection framework.
Any organisation operating e-commerce platforms, payment systems, or digital services that collect Hong Kong customer financial data — credit card numbers, bank account details — faces the risk of financial fraud following a data breach and needs a plan that addresses both the cybersecurity response and the notification obligations to affected customers and the relevant regulators.
What to Include in Your Cybersecurity Incident Response Plan (Hong Kong)
A Cybersecurity Incident Response Plan for Hong Kong organisations must address nine core elements to satisfy DPP4 of the Personal Data (Privacy) Ordinance (Cap. 486), HKMA SPM module TM-E-1 requirements for authorised institutions, and PCPD data breach handling guidance.
Incident Classification Framework defines what constitutes a cybersecurity incident for the organisation and establishes severity tiers — from Tier 1 (minor, low impact, no personal data affected) through Tier 4 (critical, large-scale personal data breach, operational disruption, regulatory reporting required). Examples of classified incidents include unauthorised system access, ransomware infection, phishing credential compromise, distributed denial-of-service (DDoS) attack, insider data theft, and lost or stolen devices containing personal data.
Incident Response Team (IRT) identifies each IRT member by name and role — typically the Chief Information Security Officer (CISO) or IT Security Manager, the Data Protection Officer or PDPO Compliance Lead, Legal Counsel, the Communications Manager, and Senior Management. Contact details (24/7 mobile numbers) and authority levels must be documented and updated quarterly.
Detection and Initial Reporting establishes the monitoring systems, alerting tools (SIEM, intrusion detection), and employee reporting channels through which potential incidents are identified and escalated to the IRT. Every employee should know the single contact point for reporting a suspected incident, and the plan should specify the response time target from detection to IRT notification (typically 1 hour for Tier 3 and 4 incidents).
Containment Procedures sets out the immediate technical steps to stop the incident from spreading — isolating affected systems from the network, disabling compromised user accounts, blocking malicious IP addresses or domains, and preserving forensic evidence by creating disk images before remediation. Evidence preservation is critical if law enforcement referral to the Hong Kong Police CSTCB is anticipated.
Investigation and Forensic Analysis specifies how the IRT investigates the scope, cause, and impact of the incident — identifying the attack vector, the personal data or systems affected, the duration of the breach, and the identity of the threat actor where determinable. Engagement of external cybersecurity forensic specialists (such as those recommended by the HKMA’s list of approved cybersecurity service providers) should be addressed.
Notification Decision Tree guides the IRT through the decision of whether to notify the PCPD (voluntary under current Cap. 486), affected data subjects, the HKMA (mandatory for material incidents affecting HKMA-regulated institutions within the required timeframe), the SFC (mandatory for licensed corporations), the Hong Kong Police CSTCB, and any overseas regulators where cross-border data was affected. The PCPD’s notification criteria — real risk of harm to data subjects — should be applied systematically.
Recovery and Service Restoration defines the steps for restoring affected systems from clean backups, verifying the integrity of restored systems before bringing them back into production, and resuming normal operations. Recovery time objectives (RTO) and recovery point objectives (RPO) should be referenced from the organisation’s Business Continuity Plan, which the Cybersecurity Incident Response Plan should complement.
Post-Incident Review requires the IRT to conduct a structured debrief within 14 days of incident resolution, document lessons learned, update the plan and security controls to address identified weaknesses, and report findings to senior management and the board. HKMA-regulated institutions must maintain records of all material cybersecurity incidents and their resolution for HKMA supervisory review.
Testing and Training specifies the schedule for tabletop exercises simulating different incident scenarios, technical penetration testing and vulnerability assessments, and employee phishing simulation exercises — all recommended by the HKMA CFI programme and the PCPD’s data governance guidance to maintain organisational readiness. The forms-legal.com Cybersecurity Incident Response Plan (Hong Kong) template covers the mandatory elements under Personal Data (Privacy) Ordinance (Cap. 486).
Sources & Citations
Statutory citations link to official government sources.
- Personal Data (Privacy) Ordinance (Cap. 486)HK official
- The Crimes Ordinance (Cap. 200)HK official
- Crimes Ordinance (Cap. 200)HK official
- Hospital Authority Ordinance (Cap. 113)HK official
- Medical Registration Ordinance (Cap. 161)HK official
- Telecommunications Ordinance (Cap. 106)HK official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Cybersecurity Incident Response Plan (Hong Kong) (Hong Kong) [Legal document template]. Forms Legal. https://forms-legal.com/hong-kong/business/policies/cybersecurity-incident-response-plan-hong-kong
"Cybersecurity Incident Response Plan (Hong Kong) (Hong Kong)." Forms Legal, 2026, https://forms-legal.com/hong-kong/business/policies/cybersecurity-incident-response-plan-hong-kong.
@misc{formslegal-cybersecurity-incident-response-plan-hong-kong,
author = {{Forms Legal}},
title = {Cybersecurity Incident Response Plan (Hong Kong) (Hong Kong)},
year = {2026},
howpublished = {\url{https://forms-legal.com/hong-kong/business/policies/cybersecurity-incident-response-plan-hong-kong}},
note = {Free legal document template. Based on Personal Data (Privacy) Ordinance (Cap. 486)}
}Also available for these jurisdictions:
Frequently Asked Questions
Hong Kong does not have a single cybersecurity law mandating an incident response plan for all organisations. However, several regulatory frameworks and legal obligations effectively require organisations to have incident response procedures in place. The Personal Data (Privacy) Ordinance (Cap. 486) requires data users to take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use (DPP 4). Having a documented incident response plan that addresses data breaches is a key element of meeting this obligation. The PCPD has published guidance recommending that organisations establish data breach handling procedures and voluntarily notify affected individuals and the PCPD in the event of a breach. For financial services: The HKMA’s Supervisory Policy Manual (module TM-E-1) requires authorised institutions to establish cybersecurity incident management frameworks. The SFC requires licensed corporations to have arrangements for managing cybersecurity risks and responding to incidents. The Crimes Ordinance (Cap. 200) criminalises unauthorised access to computer systems (sections 27A and 161). An incident response plan helps organisations preserve evidence for potential criminal proceedings when they are victims of cyber attacks. As of 2026, Hong Kong does not have a mandatory data breach notification requirement under the PDPO, though proposed amendments remain under consideration.
A comprehensive cybersecurity incident response plan for a Hong Kong organisation should include the following key components. Incident classification: Define what constitutes a cybersecurity incident, with severity levels. Examples include unauthorised access to systems or data, ransomware or malware infection, data exfiltration, denial of service attacks, phishing compromises, and insider threats. Each severity level should have defined response procedures and escalation paths. Incident response team: Identify the members of the incident response team, their roles, and their contact details. The team typically includes the IT security lead, the data protection officer or privacy contact, legal counsel, the communications manager, and senior management. Detection and reporting: Establish procedures for detecting incidents (monitoring, alerting, employee reporting) and internal reporting channels. All employees should know how to report a suspected incident. Containment: Immediate steps to contain the incident and prevent further damage — isolating affected systems, disabling compromised accounts, blocking malicious traffic. Investigation: Procedures for investigating the cause, scope, and impact of the incident, including forensic analysis and evidence preservation. Notification: Procedures for notifying affected individuals, the PCPD (voluntary under current PDPO), regulators (mandatory for HKMA/SFC-regulated entities), law enforcement (Hong Kong Police Cyber Security and Technology Crime Bureau), and other stakeholders.
As of 2026, Hong Kong does not have a mandatory data breach notification requirement under the Personal Data (Privacy) Ordinance (Cap. 486). Proposed amendments to introduce mandatory breach notification have been under consideration but have not yet been enacted. However, the PCPD strongly encourages voluntary notification and has published detailed guidance on data breach handling. The PCPD’s Guidance on Data Breach Handling and the Giving of Breach Notifications recommends that data users notify the PCPD and affected individuals when a data breach involving personal data has occurred or is likely to have occurred and the breach is likely to result in a real risk of harm to the affected individuals. Notification to the PCPD: The PCPD has a Data Breach Notification Form available on its website. The notification should include the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed to address the breach. Notification to affected individuals: The PCPD recommends notifying affected individuals as soon as practicable after the breach is confirmed, providing information about what happened, what data was affected, what the individual can do to protect themselves, and who to contact for further information. Timing: The PCPD recommends notification as soon as practicable. For HKMA-regulated institutions, the HKMA requires notification within a specified timeframe (typically within 72 hours for material incidents).
The first 24 hours after discovering a cybersecurity incident are critical for limiting damage and preserving options for recovery and enforcement. Hong Kong organisations should follow these immediate steps. Activate the incident response team: Contact the designated IRT members immediately — the IT security lead, data protection officer, legal counsel, and senior management. Do not delay activation pending full understanding of the scope. Partial information is sufficient to begin the response. Contain without destroying evidence: Isolate affected systems from the network by disconnecting network cables or disabling Wi-Fi, but do not power off servers or wipe systems before forensic imaging. Evidence preservation is essential if referral to the Hong Kong Police Cyber Security and Technology Crime Bureau (CSTCB) is anticipated. Powering off systems may destroy volatile memory (RAM) containing critical forensic data. Preserve logs: Immediately secure system logs, firewall logs, email server logs, and any available endpoint detection and response (EDR) data. Many attackers delete logs during or after an attack — securing copies immediately limits this risk. Assess personal data involvement: Determine as quickly as possible whether personal data of Hong Kong individuals has been accessed or exfiltrated. If yes, DPP4 obligations under the Personal Data (Privacy) Ordinance (Cap. 486) are engaged, and the PCPD voluntary notification timeline begins running.
Hong Kong has several criminal offences that apply to cybercrime and cybersecurity incidents. Unauthorised access to computers: Section 161 of the Crimes Ordinance (Cap. 200) makes it an offence to obtain access to a computer with intent to commit an offence, with dishonest intent, or with a view to dishonest gain. The maximum penalty is 5 years imprisonment. Section 27A makes it an offence to access a computer with criminal or dishonest intent. Computer fraud: Using a computer to commit fraud or obtain property by deception is covered by sections 16A and 17 of the Theft Ordinance (Cap. 210), with maximum penalties of 10 to 14 years imprisonment. Unauthorised modification of computer data: Section 60 of the Crimes Ordinance covers criminal damage, which has been applied to cases involving modification or destruction of computer data. Telecommunications offences: The Telecommunications Ordinance (Cap. 106) criminalises certain activities related to interception of communications and unauthorised access to telecommunications systems. For victims of cybercrime: The Hong Kong Police Force’s Cyber Security and Technology Crime Bureau (CSTCB) is the specialised unit responsible for investigating cybercrime. Organisations should report cybercrime incidents to the CSTCB, which can investigate and, where appropriate, refer cases for prosecution. From a PDPO perspective, a data breach caused by a cybersecurity incident may constitute a breach of DPP 4 (security). The PCPD may investigate, issue enforcement notices, and refer cases for prosecution.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Breach Notification Policy (Hong Kong)
A Data Breach Notification Policy for Hong Kong organisations establishing procedures for identifying, assessing, and notifying data breaches under the Personal Data (Privacy) Ordinance (Cap. 486). Addresses voluntary notification to the PCPD and affected individuals as recommended by the Office of the Privacy Commissioner.
Data Protection Policy (Hong Kong)
A Data Protection Policy for Hong Kong organisations ensuring compliance with the Personal Data (Privacy) Ordinance (Cap. 486) and its six Data Protection Principles. Establishes rules for collecting, holding, processing, and using personal data, and addresses data subject rights under the PDPO.
Acceptable Use Policy (Hong Kong)
An Acceptable Use Policy (AUP) for Hong Kong organisations setting out the rules and guidelines for the proper use of company IT systems, networks, and digital resources. Governs employee conduct when accessing company technology, internet, email, and software under Hong Kong common law and practical compliance standards.
Business Continuity Plan (Hong Kong)
A Business Continuity Plan (BCP) for Hong Kong organisations establishing procedures to maintain critical operations during disruptions. Covers risk assessment, recovery strategies, communication protocols, and testing procedures under Hong Kong common law and industry best practices.
Privacy Policy (Hong Kong)
A Privacy Policy Statement for Hong Kong organisations compliant with the Personal Data (Privacy) Ordinance (Cap. 486). Addresses the six Data Protection Principles, data subject rights, direct marketing consent, cookies, and data breach handling as recommended by the PCPD.